Reasoning about digital artifacts with ACL2

J. Strother Moore
2011 Proceedings of the 5th ACM workshop on Programming languages meets program verification - PLPV '11  
ACL2 is both a programming language in which computing systems can be modeled and a tool to help a designer prove properties of such models. ACL2 stands for "A Computational Logic for Applicative Common Lisp" and provides mechanized reasoning support for a first-order axiomatization of an extended subset of functional Common Lisp. Most often, ACL2 is used to produce operational semantic models of artifacts. Such models can be executed as functional Lisp programs and so have dual use as both
more » ... fabrication simulation engines and as analyzable mathematical models of intended (or at least designed) behavior. This project had its start 40 years ago in Edinburgh with the first Boyer-Moore Pure Lisp theorem prover and has evolved from proofs about list concatenation and reverse to proofs about industrial models. Industrial use of theorem provers to answer design questions of critical importance is so surprising to people outside of the theorem proving community that it bears emphasis. In the 1980s, the earlier Boyer-Moore theorem prover, Nqthm, was used to verify the "Computational Logic stack" -a hardware/software stack starting with the NDL description of the netlist for a microprocessor and ascending through a machine code ISA, an assembler, linker, and loader, two compilers (for subsets of Pascal and Lisp), an operating system, and some simple applications. The system components were proved to compose so that properties proved of highlevel software were guaranteed by the binary image produced by the composition. At around the same time, Nqthm was used to verify 21 of the 22 subroutines in the MC68020 binary machine code produced from the Berkeley C String Library by gcc -o, identifying bugs in the library as a result. Applications like these convinced us that (a) industrial scale formal methods was practical and (b) Nqthm's Pure Lisp produced uncompetitive results compared to C when used for simulation engines. We therefore designed ACL2, which initially was Nqthm recoded to support applicative Common Lisp. The 1990s saw the first industrial application of ACL2, to verify the correspondence between a gate-level description of the Motorola CAP DSP and its microcode engine. The Lisp model of the microcode engine was proved to be bit-and cycle-accurate but op-
doi:10.1145/1929529.1929538 dblp:conf/plpv/Moore11 fatcat:pekalxkn2zhbtotvf6u3tqybxe